On Wed, 18 Jun 2014 09:56:46 +0200, Sönke Ludwig wrote:
Am 18.06.2014 01:53, schrieb David Nadlinger:
Hi,
The title says it all – I'm using SSL streams, and want to verify that
the peer certificate is trusted (has a valid certificate chain to a
trusted root CA), but don't want to check the host name/address
against the X.509 info.This is handy if you just want to (mis)use client certificates to both
authenticate and securely tunnel RPC calls, but you don't actually
care about the client host name (it might not even have one) and/or IP
address.Is this possible using the new – and otherwise of course much improved
from my half-baked attempt! – certificate validation interface?Best,
DavidI think it's still too half-baked, actually :)
Currently
SSLPeerValidationModeis unfortunately just a list of
increasing validation levels, but validating the peer name is currently
always part of the whole validation (if any). A bit field would have
been the better choice here obviously - I'll try to invent some new
names for individual options and keep the existing enum values as
composite flags.
Implemented: 86ef76e